What is well integrity?

(Well integrity concepts and terminology)

Well Integrity is defined in Norsok D-010 as: application of technical,
operational and organizational solutions to reduce risk of uncontrolled release
of formation fluids throughout the life cycle of a well.
Norsok D-010 is a functional standard and sets the minimum requirements for
the equipment/solutions to be used in a well, but it leaves it up to the operating
companies to choose the solutions that meet the requirements. The operating
companies then have the full responsibility for being compliant with the
standard.
Following from this definition, the personnel planning the drilling and
completion of wells will have to identify the solutions that give safe well life
cycle designs that meet the minimum requirements of the standard.
Another implication is that operating companies and service providers have an
obligation to ensure that the equipment planned to be used will comply with
the standard and if not, the equipment will need to be improved and qualified
before use. Deviations from the standard can be made in some cases when the
standard allows this. If a solution selected deviates from the standard, then this
solution needs to be equivalent or better compared to what the requirement is.
When selecting technical solutions, it is important to set the right equipment
specifications and define the requirements for the well barrier to ensure the
well integrity is maintained throughout the well life. Typical things to specify
are the BOP rating and size, the casings to be used, the pressure rating on
downhole and topside equipment and the material specification of the
equipment. These specifications will be set at an early stage of a project and
the later selection of equipment will be based on it.

NORSOK D-0101 specifies that: There shall be two well barriers available
during all well activities and operations, including suspended or abandoned
wells, where a pressure differential exists that may cause uncontrolled
outflow from the borehole/well to the external environment. This sets the
foundation for how to operate wells and keep the wells safe in all phases of
the development. This requirement is also referred to in PSAs Activities and
Facilities regulation and it implies that operators have to adhere to the two
well barrier philosophies and maintain sufficient adherence in all phases of
their operations.
Good operational solutions are also required to ensure that the well
integrity requirements are met. A typical example is the requirement to
regularly function and pressure test the sub-surface safety valve to ensure
it is operational at all times. The operational solution will include procedures
for operating valves on a well, flowing restrictions etc. that can have an
impact on the integrity of the well and other day-to-day activities to keep a
well under control and producing it in a safe manner. Another example is to
continuously monitor the pressure in the annuli of a well to ensure a leak or

breach of a well barrier is detected early and that corrective action can be
taken before the problem escalates.
Organizational solutions are also required to ensure the required well
integrity is maintained. This will include, amongst other things, that the
operating company ensures that people with the right competence are
working with well operations and that they are up to date with the latest
well status. Good communication between the parties involved is required
so that the correct information is shared and passed on at e.g. shift
handovers. In handover documentation, all relevant information with
regards to barriers, operational limits, valve status, design of the well etc.
has to be compiled as part of a handover package. Many problems and
accidents have been due to poor handover documentation or
communication, and good routines and organizational solutions for this is
required to maintain the required level of safety in offshore operations.
The Petroleum Safety Authority (PSA) have published the regulatory requirements regarding
well integrity aspects like organizational solutions, management system, competence and
training, work processes, operational organization, emergency preparedness etc.
Well barriers and failure modes of different well barrier elements have been
discussed in Chapter 3. A failure of a well barrier element will usually result
in a well with reduced integrity. If a well barrier has failed, the only action
that can take place in the well is to restore the failed well barrier.
Alternatively, the well can be plugged and made secure or in some cases,
the well barrier can be redefined and production continued until the failure
can be corrected.
Chapter 3 also discusses tools and methods that can be used to identify
failures and how failures can be prevented. In some cases where many
components fail at the same time or as a result of other components failing,
then the well integrity will be lost and the well has to be shut in to avoid
further escalation and damage.

Background and History

There has been a significant technological evolution in the drilling industry during the past
30years. The early platforms on the Norwegian Continental Shelf were designed for wells with
a reach of 3 km from the platform. To cover a large reservoir often several platforms were
required. Examples are Statfjord A, B and C and Gullfaks A, B and C. As these platforms were
very expensive, alternative solutions were pursued such as subsea installations and extended
reach wells. Today it is possible to reach targets 12 km from the platform. One new platform
can replace three old platforms from a reservoir coverage point of view.
The technical evolution exemplified above requires technology and improvement on very many
levels. Obviously since the wells are much longer, the risk of failure is also increased.
Unfortunately, the high number of elements that can possibly fail makes the analysis difficult.
Well Integrity can in its simplest definition be defined as a condition of a well in operation that
has full functionality and two qualified well barrier envelopes. Any deviation from this state is

a minor or major well integrity issue. Common integrity issues are often related to leaks in
tubular or valves, but can also be related the reservoir issues as loss of zonal control. Any factor
that leads to a functional failure is a loss of well integrity. The challenge is of course to define
all possible scenarios.
History shows some severe examples of losing integrity in wells such as the
Phillips Petroleums Bravo blowout in 1977, Saga Petroleums underground
blowout in 1989, Statoils blowout on Snorre in 2004, and BPs Macondo
blowout in the Gulf of Mexico in 2010. These serious accidents remind us of
the potential dangers in the oil and gas industry and they are some of the
main drivers for the current focus on well integrity in the industry.
The Petroleum Safety Authority (PSA) initiated a pilot study in 2006, which has resulted in a
continuous activity in well integrity. The pilot study was based on supervisory audits and input
from seven operating companies, including 12 offshore facilities and 406 wells and presents a
snapshot of the well integrity status of the selected wells at the time. The results indicated that
18 % of the wells in the survey had integrity failures, issues or uncertainties and 7 % of these
were shut in because of well integrity issues. A later study indicated that each fifth production
well and each third injection well may suffer from well integrity issues. An interesting
observation was that old wells had few well integrity issues, actually most problems occurred in
the age group 5-14 years. These conclusions are not general but are limited to the studies
referred to.
It is clear from the above description that well integrity is an important
safety aspect of a well. However, some of the issues are not critical,
whereas some may lead to accidents.
2.1 What can go wrong in wells?
Many different types of failures can lead to loss of well integrity. The degree
of severity is also varying. For each of the blowouts mentioned above, a
long chain of events led to the incidents. The simplest approach would be to
consider failure of individual well components. Figure 2 shows some results
from a PSA study conducted in 2006. Clearly the production tubing is the
dominating component with failure. This is not unexpected as the tubing is
exposed to corrosive elements from the produced fluids and, the production
tubing consists of many threaded connections where the high number of
connections gives a high risk of leak. Two well barriers between the
reservoirs and the environment are required in the production of
hydrocarbons to prevent loss of containment. If one of the elements shown
in Figure1 fails, the well has reduced integrity and operations have to take
place to replace or restore the failed barrier element.
Figure 2 Example of failure statistics with age.(8)
Loss of well integrity is either caused by mechanical, hydraulic or electric failure as related to
well components, or by wrongful application of a device. An example of the latter is to not
close the BOP during a well control incident. This shows that we must go beyond the technical

aspects and also consider well management aspects. In hindsight many well incidents have
become worse because of wrong decisions. Education and training therefore form an important
basis for improved well integrity.
2.2 How likely is loss of well integrity?
The likelihood of a failure is connected to underlying causes. One example is a 100 year ocean
wave that often is the design criterion for offshore structures. By extrapolating the wave height
frequency diagram to 100 years this value is obtained. It is a statistical figure with no
correlation to actual events. It gives us a mean to consider the severity of an event to the
expected frequency of occurrence.
Likelihood is also important from another perspective, namely if it is realistic. How likely is it
that the standby boat collides with the semisubmersible rig during a well control event? We 11
understand that there is a compromise between the severity threshold and the number of
scenarios to consider. The PSA study did not resolve the likelihood issue, but there was some
information that is relevant. Figure 3 shows the number of wells with integrity problems from
the pilot study.
Of the components identified, the production tubing suffered failure in many
wells. Based on the information from Figure 3, there is a high probability
that the well will experience a leakage in the tubing during its lifetime. To
reduce the risk of failure it is important to control the risk factors and to
detect leakages at an early stage (before failure).
Figure 3 Example of barrier element failures (8)
2.3 What are the consequences of loss of well integrity?
The obvious consequences are blowouts or leaks that can cause material
damage, personnel
Injuries, loss of production and environmental damages resulting in costly
and risky repairs.
Knowing that most of the wells in the North Sea have a large production
rates, losses due to production/injection stop may be very costly. Often
these losses exceed the cost of the repair of the well.
This shows that well integrity depends not only on equipment robustness,
but on the total process, the competence and resources of the organization
and the competence of the individual. In the following we will approach well
integrity from a technical perspective, but keep in mind that any other
element like a wrong operational decision may lead to well integrity issues.
2.4 Some cases of loss of well integrity
Several audits of well problems have been carried out by the PSA during the
last decade. All these problems led to well shut in for some time, and in

some cases the entire platform production was temporarily shut in. The
cases will show examples of losses of well integrity and the consequences.
2.4.1 Case 1: Failure of surface casing and drop of wellhead
A well was shut in for workover. During the cooling phase of the top of the
well it did not contract as expected. Rather, for a period there was no
thermal contraction, then the entire wellhead dropped 54 cm with a shock.
This was 44 cm more than expected.
On this platform the conductor does not carry any load from the wellhead
system. The surface casing string therefore carries most of the total weight
of the well. During production some of this is transferred to the intermediate
string, while the production casing carries little load.
Investigations revealed that the entire surface casing failed due to
corrosion. Due to loss of mechanical integrity the well was shut in until it
was fully restored.
The well was 8 years old. During installation a cement return port was left
open near the seabed. It is believed that this port gave access to fresh
seawater from the shaft of the concrete platform. Thermal effects and tidal
height variations inside the shaft were believed to bring salt water into the
surface casing leading to a corrosive environment at the top of the
13 annulus. To avoid this problem for future wells it was recommended to fill
the top of the surface casing annulus with oil, which would coat the exposed
tubular and eliminate corrosion. The well is shown in Figure 4.
The consequences were
The entire platform production stopped for one month resulting in huge
production losses
The failed well was back into production after one year
There was a high repair cost for the well
Future installation procedures will not accept open return ports
2.4.2 Case 2: Failure of production casing hanger
Several problems occurred in a production well during a workover.
The production casing hanger failed during a pressure test
The tubing hanger failed during a pressure test
The tubing running tool failed under operation
In the following we will therefore provide a brief description of the events.
9-5/8" Casing Hanger Failure

During installation of the 9-5/8" production casing, the casing hanger failed
during pressure testing, slipping through the wellhead. The hanger failed due to
excessive plastic deformation in the casing hanger system. Casing hangers
typically have a taper of about 40 degrees. However, this system was a slim
design using a taper of only 8 degrees. Investigations revealed further that the
system was designed for an axial load of 350 tonnes, but had been upgraded
to 600 tonnes axial load. Obviously axial overload was one of the root causes.
Figure 5 shows the casing hanger after failure. The yielded top of the casing
hanger is clearly seen in the picture.
5-1/2" Tubing Hanger Failure
The tubing hanger also failed as given in the description from the oil company:
"While in the process of installing the completion string, the tubing hanger was
locked down with the hold down bolts and a test plug was landed in the tailpipe
with the wire connected. After setting the packer, the 5-1/2" x 9-5/8" annulus
was pressured to 3500 psi as per standard procedures. When the pressure
reached 3500 psi, there was a sudden release of pressure and the landing
string moved up 2 feet indicating the hanger had been pushed up past the hold
16 down bolts. The control line to the SCSSSV also parted above the hanger
allowing the SCSSV to close on the wireline. Well control was not jeopardized at
any point during this occurrence.
We are currently in the process of retrieving the wireline tools and will then pull
the hanger to surface to assess the cause of the failure. Although this does not
have a direct relationship to the 9-5-8" hanger failure, it is obvious that we
need to investigate the cause of the problem and implement corrective
measures as appropriate. We will take up this issue as part of the ongoing
investigation."
Running Tool Failure During an attempt to shear the tubing string out of the PBR
assembly on the well, the tubing hanger tool parted. The tool was of a different
dimension and load capacity than the Information provided in the running tool
manual. The root cause of this failure incident has been identified as incorrect
information of the maximum load rating of the tool. The tool failed because the
applied load exceeded the actual strength.
Figure 5 Deformed casing hanger after failure
The three incidents on the well described above were all related to axial
overload.
The casing hanger failure was caused by overload due to the actual strength of
the equipment, compared to the rated strength. It also appears that this casing
hanger system has an inherent design problem.
The tubing hanger failed because misalignment during installation led to
uneven loading of the lock down bolts.

The tubing running tool failure was due to overloading, because specifications
defined a higher strength of the tool.
When upgrading the axial capacity of the casing hanger the manufacturer
conducted a test. Even if the material yielded during this test both the
manufacturer and the oil company accepted the upgrade.
The consequences were:
High cost of well repair
The many wellheads of this type can only be used within original
specifications.
Axial load upgrade acceptance was reversed; the casing and tubing hangers
can only be used with initial specifications.
Correct specifications for running tools should be used.
Running and landing procedures for production tubing should be improved.
2.4.3 Case 3: Loss of wellbore
A well was drilled and cased according to plan with setting an intermediate
liner and a 9 5/8 drill-in liner at the top of the reservoir. The shoe was drilled
out and a Formation Integrity Test (FIT) was performed. Then the intermediate
liner was pressure tested and the 9 5/8 drill-in liner was inflow tested. The test
showed no inflow.
While drilling ahead, total losses were suddenly encountered with high mud
losses. The loss rate was gradually reduced as the rig attempted to keep the
hole full by filling it with pre-mix and base oil and then eventually seawater.
The well was then stabilized by placing Lost Circulation Material (LCM) in the
open hole section. The well schematic is shown in Figure 6.
18
The drill string was round-tripped to lay down a radioactive source. As the
string washed down from the top of the 9 5/8 liner, dynamic losses were again
induced. At the shoe a flow check gave some gains but this was suspected to
be due to ballooning effects. The well was circulated and conditioned before a
new flow again gave some gains. Circulation with the well open was performed
when a sharp increase in returns was observed. The well was the shut in on the
annular preventer on the BOP.
Attempts were made to stabilize the well by circulating out gas through the
choke. Returns were again lost and then seawater was bullheaded on the
annulus side while the losses continued to increase. Two LCM pills were
displaced in an attempt to cure the losses without success. It was then
attempted to kill the well by pumping additional water-based mud. During the
circulation, dynamic losses were experienced and the returns contained crude
oil. After circulating the well full of seawater, another LCM pill was displaced

down and squeezed to cure the losses, but this was unsuccessful. It was then
attempted to kill the well by circulating mud around through the choke. Due to
high gas peaks and unstable returns, the well was shut in and it was attempted
to bullhead the gas on the annulus side by additional volumes of seawater and
mud.
Gas readings were still high and a gunk pill was pumped through the drill pipe
to plug off the open hole. The gunk pill plugged off the drill pipe, thus the
ability to circulate the well was lost. The casing pressure continued to rise and
an attempt to pressure test the annulus broke down the formation and gave
injectivity. The casing pressure was still rising so the annulus was bullheaded
with seawater making the casing pressure to drop to 0 pressure. When
circulating across the BOP there were still loose sand to stem the losses, an
LCM pill was bullheaded down and squeezed into the formation. The well was
then shut in and monitored showing a rapid pressure build up on the casing
side. The pressure was bled off in an attempt to control the well. At the same
time, they started to pump mud on the annulus side to increase the hydrostatic
head, while a mix of free gas and mud was bled off.
While continuing to bleed-off and pump/lubricate on the annulus side, wireline
equipment was rigged up on top of the drill string. After a wireline drift run, and
a tubing perforator mis-run, the drill string was successfully perforated at
depth. The surface pressure was then allowed to stabilize, while pressure was
maintained on the outer annulus side. Subsequently, the well was killed with
mud and full well control regained.
Figure 6 Well with circulation losses and well control
20
The consequences were:
The well had to be sidetracked at high cost
During the loss/well control events, well barriers were not in place at all
times.
The gunk pill plugged off the drill string, worsening the situation
The load imposed on the well during the well control incident exceeded the
test pressure that had been applied. The barriers were not verified
2.4.4 Case 4: Gas leaks in tubing strings
A major operator reported tubing leaks in 14 subsea wells. The leaks were
small not requiring shut-in of the wells. Because the wells are subsea they have
less accessibility. In the following a review will be given.
Table 1 Number of wells with reported tubing leaks
Oil production wells: Possible causes and solutions

Figure 7 shows retrieved tubing with a big hole. However, leaks in tubing
usually start as small leakages and the most common leak path is through the
couplings.
Figure 7 Hole in the production tubing
There are many possible sources for leaks and these will be discussed below.
Leak in subsea valves
The pressure in the annuli is controlled using 2-1/16 needle valves. Particles in
the flow may damage or erode these valves leading to leakage. The following
valves are used:
-annulus master valve (AMV)
-annulus wing valve (AWV)
-annulus circulation valve (ACV)
-cross over valve (COV)
-annulus vent valve (AVV)
All wells (for the specific field) were equipped with needle valves except in one
well where the valves have been replaced with Pacson gate valves.
Figure 7 Hole in the production tubing
There are many possible sources for leaks and these will be discussed below.
Leak in subsea valves
The pressure in the annuli is controlled using 2-1/16 needle valves. Particles in
the flow maydamage or erode these valves leading to leakage. The following
valves are used:
-annulus master valve (AMV)
-annulus wing valve (AWV)
-annulus circulation valve (ACV)
-cross over valve (COV)
-annulus vent valve (AVV)
All wells (for the specific field) were equipped with needle valves except in one
well where the valves have been replaced with Pacson gate valves.
Leak in the PBR
All wells have 7 polished bore receptacles (PBR) installed. The installation
procedure used is as follows:
-Perforate in overbalance

 -Run liner stem, tubing plug, production packer and PBR in separate run.
-Run PBR seal stem and tubing in separate run. Depth based on pipe tally,
not on weight.

Figure 9 Sketch showing the tubing stinging into the PBR above production packer
This implies that the seal stem was not locked to the PBR. Lowering the seal stem 3000 m into
the well may lead to wear and debris may be pushed into the PBR, leading to a potential
leakage problem. Due to ballooning and temperature effects, the seal stem may move into the
PBR. The surface may be corroded and scaling can be deposited.
Most wells had a higher pressure in the A-annulus than inside the production tubing (after
reservoir depletion). This was also the case when the wells were shut in. A leakage was
therefore possible from the A-annulus, through the PBR and into the production tubing. Several
wells had experienced pressure drop in the A-annulus, indicating a possible leakage through the
PBR.
Leakage in tubing and connections due to corrosion and erosion.
All oil producers were completed using 13 Cr tubing. Corrosion was unlikely for this material.
All possible corrosion mechanisms are however, not ruled out. The wells produce 24

With high GOR, and sand and water is reported in the separator systems. Erosion is most likely
to occur at chokes and bends. Measurements were not yet conducted. Some erosion was seen in
chokes, but defined as a design problem, it has now been corrected. New Vam threads are used
in part of the completion. These are notoriously weak in compression, but there is no indication
that they have failed.
The completion string in well A-17 was pulled out for inspection. No
corrosion was found, only minor marks on the pipe surface, and some small
signs of sand erosion inside. The PBR had many small marks on the seal
surfaces, but this is inconclusive with respect to leakage.
Recommendations:
Measure wall thickness in surface bend to see if sand erosion is present.
Run caliper log/ pipe thickness tool in selected wells.
Evaluate another thread dope
Check make-up torque chart for all tubing and assemblies run in the next well.
Consider sand production reduction measures.
Analyze the completion string on well A-10 when recompleted.
Other factors
The oil wells were perforated in overbalance before placing the completion
strings in two runs. The wells were not cleaned out after perforating, which
may lead to high skin (wells A-11 and A-18). It is possible that the upper
perforation interval or layers of high permeability contributes to the
production. The bottom-hole pressure varies 150-200 bars between
production and shut-in. This will lead to movement of the PBR, and a risk of
leakage. Well A-11 has a leak, and well A-18 has an indication of a leak. In
drilling phase 2, alternative completion solutions should be considered.
The following main recommendations were given:
Perform a leakage test program for subsea valves
Replace needle valves with gate valves at future workovers
Eliminate PBR where possible. If PBR is required, set new packer and prespaced PBR over, alternatively use extended joint.
Verify metal-to-metal seal and pressure test seal on downhole pressure
gauge.
Verify that thread loadings are within specifications.
Revise procedure for monitoring the A-annulus pressure in oil wells:
o A-annulus pressure between 10 and 90 bar
o Monitor the A-annulus pressure with other production data.

 Measure wall thickness of bends to check for sand erosion.

Run caliper log/wall thickness in selected wells.
Consider 13 Cr. Tubing in gas injections wells.
2.4.5 Case 5: Production casing failure
Both the production tubing and the production casing in a North Sea well
collapsed and had to be replaced. The events that led to this incident are
described below.
The 9-5/8 production casing is installed in two operations. The bottom section
is landed from 2515 m to 4815 mTVD and cemented in place. Then the upper
part of the production casing is landed on a PBR, which provides a seal. This is
called a tieback solution. Repeated pressure tests were performed after
installation because the pressure could not be maintained. This indicated a leak
in the system. This leak could be at any location; at the PBR, in a casing
connection or in the surface equipment. The surface equipment was thoroughly
checked and eliminated. Finally, a couple of pressure tests were performed and
accepted and the well was completed for production.
The well was set on production. At a later time it was discovered that the
production casing had collapsed at a depth of about 700 m. It was decided to
pull out and replace the tieback production casing.
The tieback string was changed according to the plan, and the well is now back
in production. A possible root cause of the failure is that there was a leak
somewhere in the production casing or at the PBR, such that pressure was built
up behind the casing during pressure testing. During production thermal effects
caused the pressure behind the production casing to exceed the collapse
resistance of the casing. Repeated casing pressure tests should question the
integrity of the casing.
Another root cause was found during inspection of the retrieved casing. Figure
10 shows the deformed tubular. The production casing was a 9-5/8 N80 53.5
lbs/ft. The failed casing was 47 lbs/ft, which has 30 % lower collapse resistance.
Only one length of this quality was found, and there were no records showing
why one weaker casing length was placed in the production string. The collapse
resistance of the 53.5 lbs/ft production casing was 456 bar, whereas the
collapse resistance of the 47 lbs/ft casing joint was 328 bar, a reduction of 28
% in collapse resistance.
Figure 10 Failed production casing and production tubing
The consequences of this incident were:
High cost to replace both production casing and production tubing.
High cost of production loss as the well was shut in for a long time.
Improve casing test procedures and qualification of casing tests

 Improve casing inspection/control procedures

2.4.6 Case 6: Well failure

This was one of the major incidents in the North Sea area. During a workover, a
gas blowout occurred outside the well from the reservoir to the seabed. Craters
were formed at the seabed template, and gas formed underneath the entire
platform. Most of the personnel were evacuated, and the well crew managed to
take control and kill the well. Fortunately, this incident happened on a day with
no wind in this part of the North Sea, which is very unusual.
For that reason gas accumulated underneath the entire platform giving it a
significant potential for explosion and fire. Luckily the situation was controlled
with no further dangers.
There were many elements that contributed to this event. Originally, the well
had a hole in the casing that was isolated with a scab liner. During the
workover, the scab liner was retrieved without proper barriers in place. When
retrieving the scab liner, then the small clearance between the scab liner and
the casing lead to swabbing followed by a kick. This happened at the same
time as a barrier element of the second well barrier was removed (scab liner).
Figure 11 Sketch of situation when the scab liner was pulled out of hole
Because gas leaked from the reservoir into the well, out through the casing
hole and along the outside of the well up to seabed, both well barriers had
failed. This case shows the importance of knowing the status of the well
barriers at all stages of the well operation.
Figure 12 Washed out formation around the well
Consequences were severe:
The entire platform production was stopped for weeks, but not fully restored
until after several months, leaving a considerable loss in income.
The incident occurred due to removal of secondary barrier element (scab
liner) and simultaneous failure of the primary mud barrier (swabbing) during
the operation.

Well Construction and Field Development

3.1 Well Types and Well Life Cycle
There are basically two types of wells: Exploration well: The main purpose
of an exploration well is to find potential reservoirs for future development and
production. These wells are normally plugged after logging / testing.
Production / injection wells: After drilling, these wells are completed for
production and / or injection. Water or gas is normally injected into the
reservoir to maintain pressure. After the production phase has ended, plugging
and abandonment of the well takes place.
For offshore field developments, different types of drilling rigs can be used.
Examples are bottom-supported platforms like Jack-up rig, steel jacket-based
platform, concrete-based platform and Mobile Offshore Drilling Unit (MODU) like
semi-submersible drilling rig and drill ship. Field development can be divided
into exploration, development, production and abandonment phases.
3.2 Subsea drilling
Figure 13 illustrates typical casing program for a subsea well.
Figure 13 Typical casing program for a subsea well
Drilling fluid is circulated through the rotating drill string and the drill bit and
through the annulus between the drill string and the borehole. The casing
strings are used to stabilize the borehole. The following illustrates a typical
casing program for a subsea well. When drilling the 36 hole for the 30
conductor, the drill cuttings from the borehole are circulated and disposed on
the seabed. After the hole has been drilled, the 30 conductor casing is run and
cemented in place. The main objective of the conductor casing is to isolate the
well from unconsolidated surface zones. Then the 26 hole for the 20 casing is
drilled with drilling fluid return to seabed (in the past, a marine drilling riser
were used for drilling this section). The 20 casing which is connected to the
wellhead (often termed wellhead casing or surface casing) is then installed and
cemented in place. The main objectives of the wellhead casing are to isolate
the well from unconsolidated surface zones, support the weight of the BOP and
other casing strings, and protect the well from shallow water and shallow gas
reservoirs. Normally, cement is displaced all the way to the wellhead.
Today, mud recovery systems may be used when drilling the top hole sections
(holes for 36 and 20 casing string) to avoid drilling fluid return to sea.

After the surface casing is set and cemented, the Blow-Out Preventer (BOP) is
run on the marine drilling riser and connected to the subsea wellhead. The
drilling riser is used for the return of drilling fluid back to the drilling vessel
where the drill cuttings are removed before the drilling fluid is re-circulated into
the borehole. The next hole size will typically be 17 and the corresponding
intermediate casing string will be 13 3/8. The main objective of the
intermediate casing string is to protect zones from circulation losses, isolate
zones with low or high pressure and isolate hydrocarbon formations that might
not be produced temporary or permanently. Further, the 12 bit is used to
drill the hole section for the 9 5/8 production casing. The purpose of the
production casing, which is typically set in the cap rock above the reservoir, is
to protect the production tubing, allowing the hydrocarbons to be produced
safely. Finally the 8 bit is used to drill the hole section for the 7 casing
string. Normally, the 7 casing string is run as a liner. A liner is a pipe extension
from the last set of casing string. A liner is normally extended back to the
wellhead using a tie-back string.
The formation pore- and fracture pressure are normally converted to an
equivalent mud weight with reference to the drill floor level (RKB). This is
illustrated in Figure 14.
The conductor casing is typically set a 50 - 80 m below the seabed (BSB). The
casing setting depth is normally dictated by the geology, formation
pore/collapse pressure and the fracture pressure. Figure 14 shows a typical
pore- and fracture pressure plot. During drilling the mud weight must be kept
above the pore pressure and below the fracturing pressure to avoid well fluid
influx from the formation (kick) and mud losses to the formation. Losses may
reduce the hydrostatic head and overbalance and result in a possible kick. The
drilling mud is the primary well barrier during the drilling phase. Typical safety
margins for mud used in drilling are 30 kg/m3 and 10 kg/m3 towards the pore
pressure and fracture pressure respectively.
Figure 14 Equivalent mud weight, equivalent pore pressure (Pp) and equivalent
fracture pressure (Pf )/ equivalent minimum formation stress vs. depth (TVD)
For a well in operation or a well that is to be permanently plugged and
abandoned, the integrity of formation as part of the well barrier envelope
should be ensured. Information about the minimum formation stress of the
formation being a part of the barrier envelope should therefore be gained
during drilling and used as baseline for maximum allowed pressure for the
formation as barrier in these phases.
The minimum formation stress is the same as the fracture closing pressure,
and information about the minimum formation stress is gained through
extended leak off testes (XLOT). Figure 15 shows the typical pressure behavior
in the well when pressure is exerted to the formation. Any pressure in the well
above the minimum formation stress may lead to reopening of fractures and
natural faults and lead to leakage to the environment. When the pressure is

reduced to the minimum formation stress, the fracture closes and the integrity
of the formation is regained.
Figure 15 Typical pressure behavior when performing XLOT
A well stability plot is shown in Figure 16. It is seen that the mud weight is
planned lower than the Mini frac test data in the area in the different hole
sections.
Figure 16 Example of a wellbore stability plot from the oil industry
3.3 Platform drilling
Drilling a well from a seabed-supported platform is less complicated compared
to using an MODU, simply since there is no movement of the vessel, and the
BOP is located on the platform making maintenance and operations more
convenient. The conductor in normally installed using the hammer technique to
drive the pipe into the top hole formations. Then drilling continues more or less
as in subsea drilling as discussed above. The main advantages are access for
monitoring of the annulus, easy wellhead access and less complicated and
lower cost well intervention.

3.4 Subsea Well Completion

Well completion takes place in order to prepare the well for production or
injection. Typical steps are as follows:
1. A production tubing is RIH, tubing hanger landed and production packer is
set. The completion is then pressure tested to verify integrity, See Figure 17
2. An X-mas tree (steel block) with valves for controlling the fluids is installed
on top of the wellhead, See Figure 18
3. A control umbilical is used to control the X-mas tree and downhole functions
4. A pipeline system is connected to the X-mas tree for production or injection
Figure 17 Example of subsea well with tubing hanger and tubing string installed
(for vertical X-mas tree installation)
3.4.1 Types of X-mas trees for subsea wells
The subsea X-mas tree provides the primary method of closing a well and
controlling fluid flow during production or injection. A subsea tree is designed to
control the flow of hydrocarbons from the well through a collection of valves
and fittings. The valves enable the well to be externally shut-in if needed. Some
other functions of the subsea X-mas tree include chemical injection point, well
monitoring points and vertical access for well intervention.
There are two main types of X-mas tree:

 Conventional (dual bore / vertical) X-mas tree: The tubing hanger and tubing
is suspended in the wellhead. See Figure 18
Horizontal X-mas tree: The tubing hanger and the tubing are suspended in
the X-mas tree. See Figure 19
Figure 18 Subsea well with vertical X-mas tree (dual bore through X-mas tree
and TH)
Figure 19 Subsea well with horizontal X-mas tree
The most significant differences between the vertical and horizontal tree are
the position of the valves and tubing hanger. The X-mas tree is frequently
selected out from both configurations. The advantage of the horizontal X-mas
tree is that it has the ability to remove the tubing without removing the tree.
So, if more frequent replacement of the production tubing is expected
compared to the X-mas tree, a horizontal tree may be selected. Installation of a
horizontal X-mas tree reduces the amount of equipment needed, time and cost.
It also allows easier access for well intervention. A disadvantage is when the
tree itself has to be removed. In this case, the upper completion (tubing
hanger, tubing, DHSV, etc.) has to be retrieved which is a time consuming and
costly operation. Additional disadvantages would be that interventions through
the tubing are more difficult than a vertical tree since removing or installing
plugs is more difficult than opening or closing the valves in the conventional Xmas tree.
Below is a description of the main valves in a subsea X-mas trees used for the
production phase:
Master valve: It is used to completely shut in the well production
tubing/annulus. The valve is usually a 5 1/8 double acting seal valve. The
production master valve is situated between the wellhead and the production
bore and the annulus master valve is a valve on the bore into the annulus. The
annulus master valve is used for shutting in any production or injection in the
annulus, i.e. gas lift. The valves are power operated fail-safe closed valves.
Wing valve: The wing valve controls the production/injection or annulus flow.
The valve is usually a 5 1/8 double acting seal valve. The valve is usually
located downstream of the master valve in the production bore and the
annulus bore.
Cross over valve (XOV): This valve provides communication between the
annulus and the production bore which normally is isolated.
Choke valve: The choke valve controls the flow and is located downstream of
the production wing valve. It is typically operated by a hydraulic stepping
actuator. The valve is retrievable and prone to erosion risk.
Typically, smaller pipes are connected to the production tubing branch
(between PMV and PWV). Two of these are used for injection of chemicals such
as scale inhibitor (SIV) and methanol (MIV).

The X-mas tree valves may need to be closed due to different situations such
as functional and pressure tests, shut-down on the platform and deterioration
or leakage of subsea equipment. This is why the hydraulic operated subsea Xmas tree valves in the production phase are fail-safe close. This means that the
valves will automatically close if the signal or hydraulic control pressure is lost.
Usually the valves are closed by a preprogrammed shutdown sequence. If it is
impossible to close the X-mas tree valves by using the control system, the
hydraulic fluid in the valve actuators may be drained from various places. In
this case closing operation will be more time consuming.
3.5 Surface well completion
Figure 20 illustrates a surface wellhead system. The different casing strings are
supported in the wellhead in separate casing hanger spools with annulus
access for pressure monitoring. The X-mas tree is stacked on top of the
wellhead as illustrated in Figure 21
Figure 20 Surface wellhead system (FMC Energy Systems)
The following valves are always to be fail-safe closed:
Hydraulic master valve (HMV)
Production wing valve (PWV)
Exit blocks for chemical injection
The surface X-mas tree usually consists of one solid block with the valves
integrated. Figure 21 shows an example where the X-mas tree consists of
valves flanged together (not one solid block).
Figure 21 Surface wellhead and X-mas tree (FMC Energy Systems)
For surface completed wells all annuli are usually available through wellhead
valves for possible control and monitoring of pressure. For wells with a subsea
wellhead with a surface X-mas tree they may have limited access to the annuli
outside annulus A. Such limitation is typical for TLP platform wells. The
difference is shown in Figure 22
Figure 22 Typical difference between annulus monitoring possibilities for
platform well versus platform TLP well

4. Well Barriers definitions, classification, and requirements

4.1 Key concepts and definitions
Well barriers are used to prevent leakages and reduce the risk associated with
drilling, production and intervention activities. Well barrier: Envelope of one or
several dependent barrier elements preventing fluids or gases from flowing
unintentionally from the formation into another formation or to surface
[NORSOK D-010].
The main objectives of a well barrier are to:
Prevent any major hydrocarbon leakage from the well to the external
environment during normal production or well operations.
Shut in the well on direct command during an emergency shutdown situation
and thereby prevent hydrocarbons from flowing from the well.

A well barrier has one or more well barrier elements. Well barrier element:
Object that alone cannot prevent flow from one side to the other side of itself
[NORSOK D-010].
Some well barriers have several barrier elements that, in combination, ensure
that the well barrier is capable of performing its intended function(s).
Events and situations that require a functioning well barrier are called
demands. A demand can be instantaneous or continuous. An example of an
instantaneous demand is a command from the emergency shutdown system at
the platform that requires response from the well barriers. A continuous
demand may be a constant high pressure (that the well barrier must
withstand).
In general, there are four main ways in which hydrocarbons can leak from the
system to the environment:
Through the downhole completion tubing string
Through the downhole completion annulus
Through the cement between the annuli
Outside and around the well casing system
4.2 Well Barrier Requirements
The performance of a well barrier may be characterized by its:
Functionality; what the barrier is expected to do and within what time
Reliability (or availability); the ability, in terms of probability, to perform the
required functions under the stated operating conditions and within a specified
time.
Survivability; the ability of the barrier to withstand the stress under specified
demand situations.
Regulatory bodies give overall requirements in their regulations, and make
references to guidelines and recognized national and international standards
for more detailed requirements. The Norwegian Petroleum Safety Authority
(PSA) uses, for example, the following regulatory hierarchy:
Regulations
Guidelines (to the regulations)
National and international standards that are referenced in the guidelines,
such as NORSOK standards, ISO standards, API standards, and IEC standards.
We may distinguish between requirements that apply to barriers in general
(e.g., as stated in PSAs Management Regulations, 4 and 5), and
requirements that apply to well barriers in particular (e.g., as stated in PSAs
Facilities Regulations, 48). The associated guidelines provide further details

and give references to specific parts of national or international standards. The

guideline to 48 of the Facilities Regulations, for example, refers to specific
chapters of the NORSOK D-010 standard and also to specific sections of the
Management Regulations.
From the guideline to 48 of the Facilities Regulations, and the referenced
standards, the following requirements can be deduced:
At least two independent and tested barriers shall, as a rule, be available in
order to prevent an unintentional flow from the well during drilling and well
activities.
The barriers shall be designed so as to enable rapid re-establishment of a
lost barrier.
In the event of a barrier failure, immediate measures shall be taken in order
to maintain an adequate safety level until at least two independent barriers
have been restored. No activities for any other purposes than re-establishing
two barriers shall be carried out in the well.
The barriers shall be defined and criteria for (what is defined as a) failure
shall be determined.
The position/status of the barriers shall be known at all times.
It shall be possible to test well barriers. Testing methods and intervals shall
be determined. To the extent possible, the barriers shall be tested in the
direction of flow.
Separate regulations are issued by the PSA for handling of shallow gas in
drilling operation. When drilling the tophole section, the gas diversion
possibility is regarded as the second barrier. This is, however, not a barrier
according to the barrier definition above.
4.3 Well Barrier Functions
In the analysis of well barriers, it is important to understand the barrier
functions and the possible ways the barrier can fail.
NORSOK D-010 distinguishes between primary and secondary well barriers. A
primary well barrier is the barrier that is closest to the pressurized
hydrocarbons. If the primary well barrier is functioning as intended, it will be
able to contain the pressurized hydrocarbons. If the primary well barrier fails
(e.g., by a leakage or a valve that fails to close), the secondary barrier will
prevent outflow from the well. If the secondary well barrier fails, there may, or
may not, be a tertiary barrier available that can stop the flow of hydrocarbons.
Examples: For operations in a killed well, the hydrostatic pressure is regarded
as the primary barrier, and the topside equipment, usually a BOP, is regarded
as part of the secondary barrier together with cemented casing and sufficient
casing shoe formation strength (See Figure 23)

Figure 23 Primary and secondary barriers in production and drilling mode

Barrier elements that involve electrical, electronic, and/or programmable
electronic technology are referred to as safety-instrumented functions. An
example of a safety instrumented function is the DHSV, which is only activated
upon signal from sensors or manual pushbuttons. Safety-instrumented
functions are carried out by a safety-instrumented system with three main
subsystems:
Input elements; sensors (for automatic activation) or push-buttons (for
manual activation)
Logic solver(s); an electronic or non-electronic device that process the
signal(s) from the input elements and send signals to the relevant final
elements
Final elements; physical items that interact with the well, for example
valves, such that loss of containment is stopped or avoided.
Several safety-instrumented functions may be built into the same safetyinstrumented system. The same logic solver may, for example, be used to
activate several isolation valves. However, there are some important design
considerations: Functions that shall respond to the same event (e.g., well kick
or choke collapse) should not share components. This means that if the primary
and secondary barriers have safety-instrumented functions, they need to be
placed in two different (and independent) safety-instrumented systems to
avoid that a failure of the logic solver causes simultaneous failure of the
primary and the secondary barrier. On an oil and gas installation, there are
several safety-instrumented systems with names related to their essential
function: emergency shutdown systems, process shutdown systems, fire and
gas detection systems, and so on.
4.4 Well barrier schematics and diagrams
Well barriers and their role in preventing or acting upon leakages from wells
may be illustrated in many different ways. We distinguish between:
Well barrier schematics
Barrier diagrams
Well barrier schematics and well barrier diagrams are important tools for
reliability and risk assessments of the well in all phases of its life cycle and for
well integrity assessments. Well life cycle: The time interval from a wells
conception until it is permanently abandoned.
4.4.1 Well barrier schematics
A well barrier schematic (WBS) is a static illustration of the well and its main
barrier elements, where all the primary and secondary well barrier elements
are marked with different colors. A well barrier schematic (WBS) is shown for a

standard production well in Figure 23 This well has six primary well barrier
elements:
Formation /cap rock above reservoir
Casing cement
Casing
Production packer
Completion string (below the DHSV)
Surface controlled subsurface safety valve (DHSV) - and six secondary well
barrier elements:
Formation above production packer
Casing cement
Casing with seal assembly
Wellhead
Tubing hanger with seals
Annulus access line and valve
Production tree (X-mas tree) with X-mas tree connection
Examples of well barrier schematics for a wide range of well situations are
established and evaluated in NORSOK D-010.
Figure 24 Well barriers schematic for a standard production well.
4.4.2 Well barrier diagrams
The well barriers can also be illustrated by a well barrier diagram. The well
barrier diagram isca network illustrating all the possible leak paths from the
reservoir to the surroundings. What is meant by surroundings depends on the
situation and may be the external environment (e.g., the sea for a subsea well,
the platform deck for a topside X-mas tree), or some parts of the system (e.g.,
the flowline from a subsea well). A well barrier diagram for the production well
in Figure 24 is shown in Figure 25.
Figure 25 Barrier diagram for the production well in Figure 24.
All the paths from the reservoir to the surroundings in Figure 25 are possible
leakage paths. If, for example, the DHSV and the X-mas tree valves (including
the stem seals) both have critical failures (i.e., fail to close or leakage in closed
position), there is a leakage from the reservoir to the surroundings. A barrier
diagram may be drawn in many different ways; an option is to draw the
diagram vertically with the reservoir in the bottom and the surroundings in the
top. The logic of the diagram should, however, be the same in all options. A
well barrier diagram for a complex well situation may be rather complex with

many possible leakage paths. Well barrier diagrams are best suited for static
situations, i.e., for wells in production. Barrier diagrams are useful for keeping
an overview when analyzing various well barrier arrangements and for
analyzing the reliability of the barriers.
4.5 Reliability analysis and methods
The term reliability conveys failure-free operation and confidence in the
equipment. Formally, reliability is defined as the ability of a system to perform
its intended functions, under given environmental and operational conditions
and for a stated period of time (IEC 600050-191). The ability can be studied
qualitatively, for example by identifying the combination of component failures
that may lead to system failure, or quantitatively, by calculating the probability
or frequency of system failures.
4.5.1 Reliability analysis of well barriers
In the context of well integrity, we will introduce reliability analysis methods
that can be used to identify and assess the impact of failures of well barrier
elements. Such analyses are useful for:
Comparing different well completion alternatives with respect to blowout
probabilities
Evaluating the blowout risk for specific well arrangements
Identifying potential barrier problems in specific well completions
Assessing the effect of various risk reduction methods
Identifying potential barrier problems during well interventions
After many incidents and accidents in relation to well integrity, more focus has
been directed towards assessing the reliability of well barriers. The purpose of
this section is to describe some of the methods that can be used to analyze
well integrity qualitatively as well as quantitatively. To be able to perform
quantitative analysis it is necessary to have a background in system reliability
theory. The quantitative part is therefore limited to giving a small practical
example with basis in available well performance data. To give a thorough basis
for system reliability theory is outside the scope of this compendium. Readers
who want to get a deeper understanding of this subject may consult Rausand
and Hyland (2004) or some other textbook on reliability theory.
4.5.2 Analysis steps
A well barrier analysis should be structured and may include the following
steps:
1. Define and become familiar with the system.
This step includes the definition of the operational situation, review of well
schematics, construction of barrier diagram, and listing of barriers and their
barrier functions.

2. Identify failure modes and failure causes

The main method for failure identification is the failure modes, effects, and
criticality analysis (FMECA). The objective of the FMECA is to identify all the
failure modes, their causes, and effects for each of the barrier elements of a
well barrier system.
3. Construct a reliability model of the well barrier system
There are several alternative models available, and the choice of models
should be based on what type of system states we want to study and the
access to relevant data to support the models. We recommend, however, fault
tree analysis, since this method is intuitive and easy to understand (at least for
the qualitative parts) for those who do not have a background in system
reliability theory. A fault tree is a graphical model that illustrates all the
combinations of failure events that may lead to a system failure (i.e., leakage
to the surroundings). The fault tree is easy to establish from the well barrier
diagram.
4. Perform a qualitative analysis of the fault tree
All the information about the causes of system can be summarized in the
minimal cut sets of the fault tree. A minimal cut set is (a smallest) combination
of failure events that may give a system failure. A system failure occurs when
all the failure event of a minimal cut set occurs, and minimal cut sets with few
failure events are therefore more important than minimal cut sets with many
failure events. Algorithms for identification of minimal cut sets are available.
With basis in the minimal cut sets, we can discuss issues such as critical
components or elements, vulnerability to common cause failures. This type of
information may be useful when planning well operations, well barrier
maintenance, and training of personnel.
5. Perform quantitative analysis of the fault tree
By combining reliability theory and reliability data with a fault tree, we can
determine a number of reliability parameters of interest, for example the
probability of primary barrier failure, failure rates for primary and secondary
barriers, time to first failure of primary and/or secondary barrier, and so on.
System reliability analysis is based on statistical models and methods. This
means that the results are subject to uncertainty, due to modeling
assumptions, adequacy of data, and the spread in possible outcomes that
follows the distribution of, e.g., time to failure that is recorded for similar
systems and components.
6. Report results
It is important to document all results, including assumptions and limitations
that have been made. Recommendations that require further follow-up,
whether it points back to necessity to redesign or to update planning,
operating, or maintenance procedures need to be sufficiently highlighted.

Recommendations should always be assigned responsible persons or

departments.
4.6 Identification of barrier functions
In order to understand how a system can fail, it is necessary to first identify the
system functions. A well barrier system may have several functions, and it is
often useful to distinguish between essential functions, information functions,
and protective functions.
The essential function of a well barrier is more or less obvious. This is the
function that corresponds to the main purpose of the barrier, that is, the reason
why the barrier is installed. For any well barrier we may state that the essential
function is to separate the well fluids from the environment/surroundings. Loss
of this function gives a possible leakage path to the environment.
Information functions provide information about the state and/or status of a
well barrier. The information may, for example, be the position of a gate valve
in a X-mas tree, provided by the position indicator of the valve. Various sensors
may give information about temperature, pressure, flow rate, and so on. Loss of
information functions may give the operating personnel insufficient information
about degradation of the main function and thereby prevent necessary
maintenance from being performed, or lack of required information to manage
an abnormal situation.
Instrumented well barriers often involve electrical, electronic, or programmable
electronic technology with protective functions to avoid that any electrical arc
result in ignition of hydrocarbon gases. Loss of the protective functions may
generate new hazards and hazardous events at the rig, even if the well
integrity as such may be unaffected. It should be noted that some well barriers,
such as for well intervention, are not designed fail-safe1. Loss of electrical
power, for example, as the result of lost overpressure in a work-over container,
may result in a disconnection of power to all electrical equipment in the
container, including the programmable electronic controller used to operate
valves and rams in the lower riser package.
The main function of instrumented well barriers is partly implemented by
hardware (e.g., valves, solenoid valves) and software. While hardware functions
normally are rather straightforward to test for conformity to requirements, the
software functions are more complex and it can be difficult to reveal any
unwanted side effects of unfortunate software instructions. This is the case,
even if the hardware containing the software, such as a programmable
electronic controller (PLC), is supplied with a safety certificate. Instrumented
well barriers should be subject to proper qualification before installation and a
management of change system while in use. This also applies to systems that
are temporary used at the rig for one specific activity, e.g., well intervention.
4.7 Failure and failure analysis
4.7.1 Key terms and definitions

All well barrier elements are installed to perform one or more functions. A
function is usually accompanied by performance criteria. These criteria may,
for example, be related to closing time for a valve and maximum allowed
leakage rate. At the moment one of the functional criteria is not fulfilled we say
that we have a failure. Failure: The termination of an items ability to perform a
required function (IEC 60050-191).
A failure is therefore an event that takes place at a specific time. After a failure,
the item is in a fault state. Fault: The state of an item characterized by its
inability to perform a required function, excluding the inability during
preventive maintenance or other planned actions, or due to lack of external
resources (IEC 60050-191).
A fault may be manifested in many different ways. The term failure mode is
used as a description of the fault and how the fault is observed. Failure mode is
a commonly used term in the industry, but fault mode would have been a more
precise term in light of the definitions of fault and failure.
Failure mode: The effect by which a failure (or fault) is observed on the failed
item (IEC 60050-191).
Some failures are due to natural degradation and cannot be easily avoided,
while other failures are due to inadequacies in design, construction,
installation, or operation and maintenance. One example is that new failures
are introduced during modifications and minor rebuilding, due to inadequate
understanding of the system or lack of updated (and correct) documents for
the system in question. To understand why failures occur and how they can be
avoided, it is important to understand the failure causes.
Failure cause: The circumstances during design, manufacture or use that have
led to a failure (IEC 60050-191).
Failure causes may be split into two different levels; failure mechanisms and
root causes. A failure mechanism is in IEC 60050-191 defined as the physical,
chemical or other process, which has led to a failure, and is the most
immediate explanation of the failure. Examples of failure mechanisms are
corrosion, erosion and fatigue. The failure mechanism is the cause to look for in
order to make an immediate repair/restoration of the failed item.
Correcting a failure based on the failure mechanism alone seldom prevents
similar failures from reoccurrence. For long term and permanent defense
measures against failures, it is necessary to look for the underlying and
fundamental causes, often called the root causes. Many methods are available
for this purpose under names, such as root cause analysis.
4.7.2 Classification of failure modes
Failure modes may be classified in many different ways, depending on their
criticality and extensiveness. Rausand and Hyland (2004) distinguish
between:

 Intermittent failures; failures that result in lack of some function only for a
very short period of time. An intermittent failure will normally disappear, and
the item will restore itself to a full operating state. This category of failures is
common with programmed functions, and a relevant failure mode for drilling
and well control and shutdown systems.
Extended failures; failures that result in the lack of some or all functions and
which will continue until the item is repaired or replaced. Here, we may
introduce two sub-categories of extended failures:
o Complete failures
o Partial failures
Failure modes may also be classified into sudden failures and gradual failures.
Gradual failure is perhaps a confusing term (either it should be a failure or not
a failure), but the notation is used with system states that are starting to drift
out of the normal and expected values. Sensor signals that are drifting off or
corrosion that is developing over time are examples of gradual failure (modes).
Extended failures that are complete may have two effects, on the item level
(locally) and on the system (rig or platform) level. It can be distinguished
between (OREDA, 2009):
Critical failures, which are the immediate and complete loss of an items
capability of providing its output. An example may be a valve that does not
start to close when requested.
Degraded failures, which are not critical, but prevents equipment from
providing its output within specifications. An example could be a shutdown
valve that uses slightly longer closure time than what is specified.
Incipient failure: A failure which is not critical, but which, if not attended to,
could result in a critical or degraded failure in the near future.
Standards for design and operation of safety-instrumented systems, such as
IEC 61508 and IEC 61511, use the classification of safe and dangerous failures.
Safe failure: Failure of an element and/or subsystem and/or system that plays a
part in implementing the safety function that:
Results in the spurious operation of the safety function to put the system
under protection (e.g., the well) into a safe state or maintain a safe state; or
Increases the probability of the spurious operation of the safety function to
put the system under protection (e.g., the well) into a safe state or maintain a
safe state
Dangerous failure: Failure of an element and/or subsystem and/or system that
plays a part in implementing the safety function that:
Prevents a safety function from operating when required (demand mode) or
causes a safety function to fail (continuous mode) such that the system under

protection (e.g., the well) is put into a hazardous or potentially hazardous state;
or
Reduces the probability that the safety function operates correctly when
required
Safe and dangerous failures may be split further into detected and undetected
failures. A detected failure is a failure that is evident (during non-demand
situations) or is detected by online diagnostics. It is assumed that a detected
failure is revealed shortly after it has occurred. An undetected failure is a failure
that is hidden under non-demand situations and is only revealed by a proof test
or while responding to a demand. A failure, which is both dangerous and
undetected, is referred to as a dangerous undetected (DU) failure. A failure that
is dangerous and detected is called (DD). The similar notations apply for safe
failures (SU- and SD-failures).
Example. The failure modes of an DHSV may be classified as:
Fail to close on demand (FTC): DU
Leakage in closed position: DU
Fail to open (FTO): SU
Spurious (premature) closure: SU
Our main concern is obviously directed to DU- and DD-failures in relation to
maintaining well integrity. The presence of DU- and DD-failures reduces the
safety performance of the system, making it less capable of performing or
maintaining the well integrity. The negative impact of DD-failures on system
safety is reduced if the DD-failures are corrected within short time. In this case,
the DU failures remain as our main concern with respect to safety performance.
4.8 FMECA
Failure modes, effects, and criticality analysis (FMECA) is a widely used method
for system reliability assessment. The method provides an intuitive and
structured approach to failure analysis, and FMECA is therefore adopted in
many industry sectors. An FMECA is carried out to answer the following
questions:
a. In what ways can system components fail?
b. What are the underlying causes of failures?
c. How can failures be detected?
d. What are the failure effects, on the failed component and on the system as
such?
e. How critical are the failure effects, in terms of damage to humans, the
environment, or material assets?

An FMECA performed without considering question (e) is sometimes referred to

as a failure modes and effect analysis (FMEA). In practice, FMECA and FMEA are
used interchangeably without reflecting any difference in the scope of the
analysis.
The core of an FMECA is the FMECA worksheet, which is filled in during an
FMECA session, a meeting where relevant personnel are gathered. There is no
unique and widely accepted layout of the FMECA worksheet, and many variants
are therefore found in companies and in standards and textbooks. The main
elements are, however, the same in all variants. In some cases, it is important
to highlight failures that are classified as DU, DD, and so on. In this case, the
failure effects should be classified accordingly.
4.8.1 FMECA procedure
An FMECA is easy to conduct and easy to comprehend without any advanced
analytical skills. The easiness of using the method may become a false
comfort, if not performed or led by qualified persons. An FMECA is not a one
persons task, but requires the involvement of persons with overall system
knowledge, persons with detailed knowledge on the construction of the
individual components, and a FMECA facilitator. The person facilitating the
FMECA session should have a basic knowledge of the failure concepts and
analysis, including the understanding of main terms such as:
Failure modes
Failure mechanisms
Root causes
Failure classification strategies that are commonly used in the industry
Modes of operation
The main steps in an FMECA are described in the following. It is assumed that
an FMECA facilitator has been identified and that this person is responsible for
the preparation, execution, and documentation of the results.
1. Preparation
a. Identify relevant persons (according to competence) for the FMECA session
b. Identify relevant documentation of the system that is to be analyzed
c. Identify supporting information, such as reported failures of similar systems,
experience transfer from other FMECA sessions.
d. If necessary, perform a pre-meeting with some of the identified persons to
participate in the FMECA session to verify that relevant information has been
collected.
e. Select a FMECA worksheet with appropriate columns.

f. Decide if a pre-FMECA session is needed to perform steps 2a)2e), as an

input to more detailed FMECA session(s) that covers steps 2f) 2h).
g. Send out the invitation to the participants, including a brief selection of
documentation, and a clear statement about the purpose of the session.
2. Execution of FMECA session(s)
a. Define the system and its boundaries.
i. This step concerns the identification of what components to include (and
which ones to exclude) in the FMECA. This is not always an easy task, as most
systems are not stand-alone but interfacing other systems. Care should be
taken to not exclude components that could be very determinative for the
system performance. Such components may, for example, be associated with
utility supplies (e.g., hydraulics, power). Excluded components and systems
should be commented in the list of assumptions and limitations of the study.
b. Define the main function (or mission) of the system.
i. This step concerns the overall description of system mission. The function
may be described in terms of a verb plus a noun, e.g., to activate shear-ram. It
is also useful to add some criteria that would describe the successful
performance of this function, e.g., to activate shear ram within 10 seconds
upon drillers (manually initiated) command.
c. Describe the operational modes (modes of operation), including operational
and environmental stresses.
i. The causes and effects of failures may be different in different modes of
operation. Each operating mode may also be subject to different operational
and environmental stresses. For example, the ability of the pipe ram to perform
isolation is highly impacted by what is going through the BOP.
ii. In some cases, an operational mode may be broken down into several submodes. In a demand situation (where a closure of the shear ram is required),
the sub-modes may be: open, moving (towards closed position) and closed.
d. Break down the system into subsystems and prepare a complete component
list.
i. It is possible to fill in the FMECA table for the overall system function.
However, in many cases it is required to perform a more detailed analysis of
the various system components. A well barrier comprising several barrier
elements may therefore be studied in separate FMECA worksheets. The
purpose of this step is to identify these system elements.
e. Define the interrelationship between the various subsystems (and subfunctions), using, for example, a functional block diagram.
i. This step is important in order to relate the detailed assessment results (i.e.,
results of FMECA for each subsystem) to the overall performance of the system.

f. Fill in the FMECA worksheet

i. See an example of an FMECA setup inFeil! Fant ikke referansekilden..
g. Review the results
i. The purpose of this step is to review the results in light of the main objective
of the session. Have all relevant limitations been sufficiently documented
h. Agree upon follow-up of identified design deficiencies, important test criteria
and so on.
4.9 Fault tree analysis
A fault tree can be used for qualitative as well as quantitative analysis of
system reliability2. The main purpose of a fault tree is to explain why a system
failure can occur. In our context, the system failure may be leakage to
environment in a particular operating situation. In the fault tree terminology,
this system failure is called the TOP event of the fault tree. The causes of the
TOP event are identified and combined by logic gates.
Fault tree construction is a deductive approach. With basis in the defined
system failure, we ask iteratively what type of events (component failures,
human errors, etc.) that may result in the system failure. A fault tree comprises
the following main elements:
The TOP event: This is a precise description of the system failure, and should
explain what the system failure is (e.g., leakage to environment), where the
failure occurs or is observed (e.g., from the wellhead), and when the failure
may occur (i.e., the operational situation we are looking at). In our context, the
TOP event may be leakage to environment through the wellhead during
normal production.
OR and AND gates: A fault tree applies two main types of logic gates: OR
gates and AND gates. Most fault trees suffice with these two logic gates, but
several other gates are available for specific purposes. In this compendium,
however, we only consider OR- and AND gates.
OR-gate: The output event occurs when one or more of the basic (input) events
occur, i.e., the output event occurs when basic event 1 OR basic event 2
occurs.
AND-gate: The output event occurs when all the basic (input) events occur at
the same time, i.e., the output event occurs when basic event 1 AND basic
event 2 occur.
Table 6 Explanation of OR and AND gates
Basic events: Basic events conclude the fault tree development and
represent the lowest (modeled) level of events (component failures, human
errors, external event) that may initiate the development of a system failure.
There is no specific rule to what should be defined as a basic event. For

example, one may define the failure of DHSV as a basic event, or break the
item into sub-items (e.g., seal, flapper, and actuator) and define these as basic
events. The level of resolution is often linked to the availability of reliability
data to support the quantitative analysis (e.g., failure frequencies). If data is
not available for the sub-components, but for the DHSV as a total, it is most
feasible to choose DHSV failure as a basic event.
Note that when we define DHSV failure as a basic event, we point at those
failure modes of interest for the failure of DHSV in the context of causing
leakage to environment, i.e., the fail to close (FTC) and the leakage in closed
position (LCP) are the most relevant failure modes in this context.
Additional information about fault trees (and system reliability theory in
general) may be found in Rausand and Hyland (2004).
4.9.1 Fault tree programs
Fault trees for practical systems will usually become rather comprehensive and
it is therefore beneficial to use a dedicated fault tree program. Several
programs for fault tree construction and analysis have been developed. In
Norway, two such programs are commonly used:
CARA FaultTree, which is available from ExproSoft
(www.exprosoft.com/products/Cara.aspx)
RiskSpectrum, which is available from Scandpower (www.riskspectrum.com)
Links to several other programs for fault tree construction and analyses may be
found on (www.ntnu.edu/ross/info/software).
4.9.2 Fault tree construction
The events in a fault tree are described in rectangles. For basic events, a circle
is drawn beneath the rectangle and a unique identificator of the basic event is
entered into the circle. The identificator is an alpha-numeric code and the
maximum number of symbols is determined by the computer program used. It
is wise to select a code that gives a meaningful reference to the basic event.
The barrier diagram is a good starting point for constructing a fault tree and
the transformation from a barrier diagram to a fault tree is fairly simple. We will
illustrate the procedure by using the well barrier diagram in Figure 25.
We always start with the TOP event, which in this case is Leakage to the
surroundings In the well barrier diagram in Figure 25 this is represented by the
node Surroundings which is the terminal node of the diagram
As seen from Figure 25, there are ten different arrows (representing flow
paths) pointing into the terminal node. For simplicity, we refer to these flow
paths as flow path 1, flow path 2, and so on, where we number the paths from
1 to 10, beginning from the top of the diagram.

 If at least one of the flow paths is leaking, then we have leakage to the
surroundings. This means that there is an OR-relationship: Hydrocarbons will
reach the Surroundings if Flow path 1 is leaking OR Flow path 2 is leaking
OR and so on, as illustrated in the top section of the fault tree in Figure 26.
Figure 26 Top structure of fault tree for "Leakage to surroundings".
The triangles beneath the rectangles describing the events indicate that the
fault tree is not complete and that we need to continue the evaluation of the
event on a separate page.
A separate fault tree has to be constructed for each of the ten events in
Figure 26. Let us take flow path 6 as an example. To have leakage through this
flowpath, the wellhead must be leaking AND there must be flow (i.e.,
pressurized hydrocarbons) to the wellhead. The start of this fault tree is
therefore as shown in Figure 27.
Figure 27 Fault tree (top structure) for Leakage flow path 6.
The triangle in the top of Figure 27 indicates where this fault tree shall be input
(appended) to the top structure fault tree in Figure 26. The event on the lefthand side Flow into Wellhead need further development and is therefore
marked with a triangle. The event Leakage from Wellhead is here considered
to be a basic event and is therefore marked with a circle with the alphanumeric code WHL (i.e., abbreviation for wellhead leak). We might have
developed this event further, for example by distinguishing between the
wellhead seals that may be leaking.
The event Flow into Wellhead must be developed further. From the well
barrier diagram in Figure 25, we note that if the production packer OR the
tubing below the DHSV OR the tubing above the DHSV leaks, then there is
Flow into Wellhead. This can be drawn as a separate fault tree or we can
extend the fault tree in Figure 27. Here, we chose the lat option and the
resulting fault tree is shown in Figure 28.
Figure 28 Complete fault tree for "Leakage flow path 6".
All the events are now considered to be basic events, the fault tree is therefore
complete and we do not need to develop it any further. Note that all the basic
events are given codes. These codes are used in the analysis of the fault tree.
Fault trees for the other nine flow paths can now be constructed in the same
way. The total fault tree will be rather big and a dedicated fault tree program,
such as CARA FaultTree will be almost required.
4.9.3 Fault tree pros and cons
The fault tree can be constructed directly, or based on a well barrier diagram.
The fault tree is always started by the TOP event that we want to investigate.
For well integrity studies, this event will usually be Leakage to the
surroundings. The fault tree is developed step by step from the TOP event by

repeatedly asking: How can this event happen? The answer to this question
for the TOP event is found by identifying all the possible places the leakage can
come out, i.e., the ten flow paths. Then we study each and every of these flow
paths and again ask: How can this happen? and so on. The fault tree
construction is based on a very simple procedure and it is therefore suitable for
brainstorming sessions involving people that have not been trained in fault tree
construction.
A negative point is that the resulting fault tree often becomes big and many
pages of paper are needed to draw the complete fault tree. It is therefore easy
to lose oversight. One should, however, remember that the fault tree is a logic
structure and that it is fully okay to have the same event many places in the
fault tree. In the further analysis, this taken care of by the fault tree logic.
We may ask why we should use fault tree analysis and not suffice with a well
barrier diagram since the well barrier diagram is more compact and it is
easier to see the leakage paths. The main reason is the intuitive logic of the
fault tree and its capabilities for both qualitative and quantitative analysis.
4.9.4 Qualitative analysis of the fault tree
A complete fault tree shows all the failure combinations or causes that lead to a
specified failure or dangerous situation. These combinations can be
investigated for the TOP event or for one of the intermediate events (e.g.,
Leakage flow path 6). Most computer programs for fault tree analysis can list
all these combinations, which are referred to as cut sets. Some cut sets will
contain basic events that are superfluous and if these are removed from the
set, the set will still be a cut set. When all of the superfluous basic events are
removed, the cut set is called a minimal cut set. For big fault trees, it is a hard
job to identify all the minimal cut sets manually.
Cut set: A cut set in a fault tree is a set of basic events whose (simultaneous)
occurrence ensures that the TOP event occurs.
Minimal cut set: A cut set that cannot be reduced (Rausand and Hyland,
2004)
The minimal cut sets related to the event Leakage flow path 6 in Figure 28
are seen to be {WHL, PPL} i.e., wellhead is leaking AND production packer is
leaking {WHL,TLBD} i.e., wellhead is leaking and the tubing below the DHSV is
leaking. {WHL, DHSV,TLAD} i.e., wellhead is leaking AND the DHSV is leaking
(or cannot be closed) AND the tubing above the DHSV is leaking.
A minimal cut fails if and only if all the basic events of the minimal cut set
occur. This means that if at least one of the basic events does not occur, then
the minimal cut does not fail. If at least one of the minimal cuts fails, the TOP
event will automatically occur. It is obvious that a minimal cut set with few
events is more important than a minimal cut set with many events. A minimal
cut set with only one basic events means that there is only one barrier between

the reservoir and event we are studying. A minimal cut set of two basic events
means that two barriers have to fail to give the event we are studying.
4.9.5 Failure rate, mean time to failure, and survival probability
The term failure rate has been mention several times without any proper
definition or explanation. Failure rate is a rather complex concept, but is here
used in a rather simple manner. In this compendium, the failure rate of an item
is denoted l and indicates how often the item is expected to fail. The failure
rate l is given as number of failure per time unit in service. The time unit is
often given a million hours (or 106 hours). A failure rate of, for example, l = 5.5
10-6 per hour, means that we, on the average, should expect 5.5 failures
during a period of one million hours in service. A related concept is the mean
time to failure (MTTF), which is the expected (or average) time from start-up of
an item until the first failure of this item occurs. The MTTF is given by MTTF =
1
l
(0.1)
We may also write l =1/MTTF, such that we can determine the failure rate from
the MTTF (the average time to failure). This means that an item that has an
average lifetime of half a year will have a failure rate of 2 per year. An item
with failure rate l = 5.5 10-6 per hour will hence have an MTTF of
MTTF =
1
l
=
1
5.5 10-6 = 181818 hours (0.2)
That is, approximately 21 years in continuous service. This means that the
item, on the average, will fail after 21 years in continuous service. Another
important concept is the survival probability R(t), which is the probability that
an item will survive a specified time period of length t without failure. The
survival probability is given by
R(t) = e-lt (0.3)
An item with failure rate l = 5.5 10-6 per hour will therefore survive a period
of 5 years (i.e., 43800 hours) with probability R(t) = e-5.510-643800 =
0.786. This means that after 5 years in service, the item will still be functioning
with probability 78.6% and have failed before 5 years with probability 21.4%.
4.9.6 Well barrier performance data Quantitative analyses about well integrity
cannot be made without access to relevant reliability data such as failure rates

and MTTFs for technical components, human error probabilities, and so on.
Data collection initiatives are therefore needed in order to collect information
about how frequent well barrier elements fail and why.
The main source of reliability data for well equipment is the WellMaster
database, which is operated by ExproSoft (http://www.exprosoft.com). The
database provides:
Failure causes for each specific component and failure mode
Mean time to failure (MTTF) for each failure mode
Failure rate estimates for each failure mode
Survival probabilities, i.e., the functions describing the probability of
surviving a certain time t.
Another valuable source of reliability data for XT components and downstream
equipment is the OREDA database (http://www.oreda.com). OREDA does not
supply reliability data for well equipment, so these two databases supplement
each other. The data in OREDA is based on maintenance records and provides
the same type of data as WellMaster. The presentation formats are, however,
different. For safety-instrumented systems (if relevant), the best reliability data
source is the PDS Data Handbook (http://www.sintef.no/Projectweb/PDS-MainPage/PDS-Handbooks/PDS-Data- Handbook/).
Reliability data for general mechanical equipment may be found in the MechRel
database
(http://www.mechrel.com/). A survey of available reliability data sources may
be found on the web page http://www.ntnu.edu/ross/info/data.
4.9.7 Quantitative analysis
Quantitative fault tree analysis would require some basic knowledge in system
reliability theory. The purpose of this section is not to provide this knowledge,
but to show how some reliability measures can be calculated and what type of
input data that is needed to support such calculations.
The formulas given below are based on the assumption that all the basic
events are statistically independent. This implies that if one basic event has
occurred, this will not influence the probability that other basic events occur.
This is not always realistic since the same stresses or same events may
influence several items in the well barrier system. If, for example, the
production wing valve fails to close due to formation of hydrates, it is very
likely that the production master valve will have the same problem. In this
case, the formation of hydrates is a common cause and if both valves fail due
to this cause, we have a common cause failure. Analysis of common cause
failures is an important aspect of the reliability of the well barrier system, but is
beyond the scope of this compendium. Let TOP denote the TOP event of the
fault tree. The probability that the TOP event occurs at time t is denoted Q0

(t ). Further, let qi (t ) denote that basic event i occurs at time t . Since a

minimal cut set fails only when all the basic events of the minimal cut set
occurs, the probability that minimal cut set j fails at time t is given by
Qj (t ) = qi (t )
iCj
(0.4)
Equation (1.1) may seem difficult, but is in fact rather simple. It only says that
you must multiply the probabilities of all the basic events of minimal cut set j .
The TOP event occurs when at least one of the minimal cut sets fails. The
probability of the TOP event Q0 (t ) can be written
Q0 (t ) 1- (1-Qj (t ))
j=1
k
(0.5)
Equation (1.2) is called the upper bound approximation formula and the
development of this formula is too complicated to be fully explained in this
compendium3. The formula is, however, easy to use and is also used by almost
all computer programs for fault tree analysis.
If we can find the probabilities qi (t ) of all the basic events ( i =1,2, ,k), we can
use equations (1.1) and (1.2) to determine the TOP event probability. The
problem is now how we can find the probabilities of the basic events. This will
depend on the type of the basic event, and we distinguish between the
following types:
a) Non-repairable. This type means that we consider an item that is not
repaired upon failure except by a full workover intervention. In this case, the
probability of the basic event is
qi (t) =1- e- li
t li
t (0.6)
b) Repairable. This type means that we consider an item that is repaired upon
failure. The failure is detected immediately and the mean downtime for the
item is MTTR (mean time to repair). In this case, the probability of basic event
is
qi
MTTRi
MTTFi

+ MTTRi
li
MTTRi
(0.7)
c) Periodic testing. Many of the barrier elements are passive items where
dangerous failures are only detected by a proof test (e.g., the failure mode fail
to close for a DHSV or a XT gate valve). When the time between two
consecutive proof tests is t (e.g., 6 months), the probability of the basic event
is
qi
li
t
2
(0.8)
d) On-demand. Some basic events are so-called on-demand events, meaning
that a specific event occurs in a specific situation. This event may be a human
error, an environmental condition, or a specific well event. The probability of
such an event is usually given as a fixed probability qi . An example may be
that the driller fails to activate a specific pushbutton
When CARA FaultTree has been used to construct the fault tree, you can
double-click on a basic event symbol to enter the required data. You will then
first be asked to choose the type of event and thereafter be prompted for the
required input values. When all the required data has been entered, the TOP
event probability is calculated by pressing a button. CARA FaultTree and the
other fault tree programs can also provide many other reliability measures,
such as
The mean time until the TOP event occurs
The importance of the various basic events for the TOP event probability
The uncertainty of the TOP event probability based on the uncertainty of
input data
and so on